[libvirt] [PATCH] selinux: Use raw contexts

Martin Kletzander mkletzan at redhat.com
Fri Oct 12 15:17:51 UTC 2012 

On 10/12/2012 04:53 PM, Eric Blake wrote:
> On 10/12/2012 08:39 AM, Martin Kletzander wrote:
>> We are currently able to work only with non-translated SELinux
>> contexts, but we are using functions that work with translated
>> contexts throughout the code.  This patch swaps all SELinux context
>> translation relative calls with their raw sisters to avoid parsing
>> problems.
>>
>> The problems can be experienced with mcstrans for example.
>> Thanks Laurent Bigonville for finding this out.
>> ---
>>  configure.ac                    |  4 ++--
>>  src/security/security_selinux.c | 26 +++++++++++++-------------
>>  src/storage/storage_backend.c   |  2 +-
>>  tests/securityselinuxhelper.c   |  6 +++---
>>  tests/securityselinuxtest.c     |  2 +-
>>  5 files changed, 20 insertions(+), 20 deletions(-)
>>
>> diff --git a/configure.ac b/configure.ac
>> index bcdea9c..08dc63d 100644
>> --- a/configure.ac
>> +++ b/configure.ac
>> @@ -1440,14 +1440,14 @@ if test "$with_selinux" != "no"; then
>>    old_libs="$LIBS"
>>    if test "$with_selinux" = "check"; then
>>      AC_CHECK_HEADER([selinux/selinux.h],[],[with_selinux=no])
>> -    AC_CHECK_LIB([selinux], [fgetfilecon],[],[with_selinux=no])
>> +    AC_CHECK_LIB([selinux], [fgetfilecon_raw],[],[with_selinux=no])
> 
> On my F17 box, 'man fgetfilecon' has a listing, but 'man
> fgetfilecon_raw' does not.  What is the difference between these
> functions, and how far back into the past does fgetfilecon_raw exist?
> Do we need to make this patch conditional, and fall back on fgetfilecon
> (as it is better than nothing) on older systems that lack the *_raw
> variants?
> 

The difference is that if you have translations enabled (yum install
mcstrans; service mcstrans start), fgetfilecon_raw() will get you
something like 'system_u:object_r:virt_image_t:s0', whereas
fgetfilecon() will return 'system_u:object_r:virt_image_t:SystemLow'
that we cannot parse.  The translations can be (to my knowledge) very
different even though this is the only one I know about.  These
translated contexts should be used for reporting to users, I guess.

It is problem for example with context like:
'unconfined_u:unconfined_r:unconfined_t:SystemLow-SystemHigh'
that is basically:
'unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023'

I'm trying to confirm that the _raw variants were here since the dawn of
time, but the only thing I see now is that it was imported together in
the upstream repo [1] from svn, so before 2008.

[1] http://oss.tresys.com/git/selinux.git

More information about the libvir-list mailing list